Possible break-in attempt?

marius adrian popa mapopa la gmail.com
Vin Ian 8 12:44:31 GMT 2010 

2010/1/8 madalin <niladam at gmail.com>:
> Sfatul asta cu schimbatul portului e intr-adevar util. Dar daca nu
> vrei sa-l urmezi cauta dupa csf (configserver.com) sau fa-ti un
> firewall bun.
>
> 2010/1/8 Alexandru Cucu <cracknel.org at gmail.com>:
>> Cele cu "invalid user" sunt parte a unui atac de tip bruteforce pe SSH.
>> Sfatul meu: schimba portul serverului SSH.
>>
>> 2010/1/8 florin <florin at xcellcomputers.ro>:
>>> In fisierul log.auth din /var/log am citit urmatoarele:
>>>
>>> Dec 30 19:09:01 telacad CRON[26205]: pam_unix(cron:session): session
>>> opened for user root by (uid=0)
>>> Dec 30 19:09:01 telacad dbus-daemon: Rejected send message, 1 matched
>>> rules; type="method_call", sender=":1.31" (uid=1000 pid=3643
>>> comm="/usr/lib/indicator-$
>>> Dec 30 19:09:01 telacad CRON[26205]: pam_unix(cron:session): session
>>> closed for user root
>>>
>>> pam_unix(cron:session): session opened for user root by (uid=0)
>>> Dec 30 19:30:03 telacad dbus-daemon: Rejected send message, 1 matched
>>> rules; type="method_call", sender=":1.31" (uid=1000 pid=3643
>>> comm="/usr/lib/indicator-$
>>> Dec 30 19:30:05 telacad CRON[27043]: pam_unix(cron:session): session
>>> closed for user root
>>> Dec 30 19:33:40 telacad sshd[27344]: Did not receive identification
>>> string from 188.121.134.50
>>>
>>> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
>>> tty=ssh ruser= rhost=94.52.203.47  user=root
>>> Jan  1 21:43:35 telacad sshd[21374]: Failed password for root from
>>> 94.52.203.47 port 32785 ssh2
>>> Jan  1 21:43:40 telacad sshd[21376]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.52.203.47  user=root
>>> Jan  1 21:43:42 telacad sshd[21376]: Failed password for root from
>>> 94.52.203.47 port 33170 ssh2
>>>
>>> Jan  3 18:25:50 telacad sshd[23891]: Invalid user luxmundi from
>>> 74.223.159.121
>>> Jan  3 18:25:50 telacad sshd[23891]: pam_unix(sshd:auth): check pass;
>>> user unknown
>>> Jan  3 18:25:50 telacad sshd[23891]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser=
>>> rhost=74.223.159.121.nw.nuvox.net
>>> Jan  3 18:25:50 telacad sshd[23886]: Failed password for invalid user
>>> utilidades from 74.223.159.121 port 38618 ssh2
>>> Jan  3 18:25:51 telacad sshd[23885]: Failed password for invalid user
>>> sol from 74.223.159.121 port 38612 ssh2
>>> Jan  3 18:25:51 telacad sshd[23889]: Failed password for invalid user
>>> Aarni from 74.223.159.121 port 38713 ssh2
>>> Jan  3 18:25:51 telacad sshd[23891]: Failed password for invalid user
>>> luxmundi from 74.223.159.121 port 38794 ssh2
>>> Jan  3 18:25:53 telacad sshd[23894]: Invalid user perla from 74.223.159.121
>>> Jan  3 18:25:53 telacad sshd[23893]: Invalid user Aarno from 74.223.159.121
>>>
>>>
>>> Jan  8 11:56:56 telacad sshd[4156]: reverse mapping checking getaddrinfo
>>> for 20.117.127.124.broad.bj.bj.static.163data.com.cn [124.127.117.20]
>>> failed - POSSIBLE BREAK-IN ATTEMPT!
>>> Jan  8 11:56:56 telacad sshd[4156]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.127.117.20
>>> user=root
>>> Jan  8 11:56:57 telacad sshd[4156]: Failed password for root from
>>> 124.127.117.20 port 57299 ssh2
>>> Jan  8 11:57:00 telacad sshd[4159]: reverse mapping checking getaddrinfo
>>> for 20.117.127.124.broad.bj.bj.static.163data.com.cn [124.127.117.20]
>>> failed - POSSIBLE BREAK-IN ATTEMPT!
>>> Jan  8 11:57:00 telacad sshd[4159]: pam_unix(sshd:auth): authentication
>>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.127.117.20
>>> user=root
>>>
>>>
>>> As vrea sa stiu daca am fost atacat sau ce inseamna aceste mesaje, mai
>>> ales cel cu POSSIBLE BREAK-IN ATTEMP! ?
>>> Mentionez ca numele calculatorului meu "telacad" nu are nimic in comun
>>> cu scoala "telacad".
>>> Mesaje gen primele de mai sus am cred ca zeci de useri si ip-uri.
>>> Ma poate ajuta cineva cu ceva informatii?
>>> Va multumesc oricum, sunteti o echipa super cool!
>>> Multa bafta in continuare.

shimbarea portului nu rezolva nimic , security by obscurity (trebuie
facut disable la parole clear text )
cel mai corect e sa generezi o keie ssh de pe sistemul de pe care vrei
sa te logezi
ssh-keygen
si trebuie pusa keia publica
cat ~/.ssh/id_dsa.pub
pe server in ~/.ssh/authorized_keys2

dupa care trebuie modificat in
/etc/ssh/sshd_config
PasswordAuthentication no
si restart la demonul sshd
sudo /etc/init.d/ssh restart


>>> --
>>> ubuntu-ro mailing list
>>> ubuntu-ro at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ro
>>>
>>
>> --
>> ubuntu-ro mailing list
>> ubuntu-ro at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ro
>>
>
>
>
> --
> Cu drag,
> madalin
> http://madalin.eu
>
> --
> ubuntu-ro mailing list
> ubuntu-ro at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-ro
>

Mai multe informații despre lista de discuții ubuntu-ro